junos® os user access and authentication user guide · 2020-03-26 · monitoringcertificates|226...
Post on 06-Jun-2020
10 Views
Preview:
TRANSCRIPT
-
Junos® OS
User Access and AuthenticationUser Guide
Published
2020-03-26
-
Juniper Networks, Inc.1133 Innovation WaySunnyvale, California 94089USA408-745-2000www.juniper.net
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. inthe United States and other countries. All other trademarks, service marks, registered marks, or registered service marksare the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the rightto change, modify, transfer, or otherwise revise this publication without notice.
Junos® OS User Access and Authentication User GuideCopyright © 2020 Juniper Networks, Inc. All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-relatedlimitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with)Juniper Networks software. Use of such software is subject to the terms and conditions of the EndUser License Agreement(“EULA”) posted at https://support.juniper.net/support/eula/. By downloading, installing or using such software, youagree to the terms and conditions of that EULA.
ii
https://support.juniper.net/support/eula/
-
Table of Contents
About the Documentation | xxix
Documentation and Release Notes | xxix
Using the Examples in This Manual | xxix
Merging a Full Example | xxx
Merging a Snippet | xxxi
Documentation Conventions | xxxi
Documentation Feedback | xxxiv
Requesting Technical Support | xxxiv
Self-Help Online Tools and Resources | xxxv
Creating a Service Request with JTAC | xxxv
Login Classes and Login Settings1Junos OS Login Classes Overview | 37
Junos OS Login Classes Overview | 37
Permission Bits | 38
Denying or Allowing Individual Commands | 41
Defining Junos OS Login Classes | 41
Example: Creating Login Classes with Specific Privileges | 42
Junos OS Login Settings | 43
Configuring Junos OS to Display a System Login Announcement | 44
Configuring System Alarms to Appear Automatically Upon Login | 46
Configuring Login Tips | 46
Examples: Configuring Time-Based User Access | 47
Configuring the Timeout Value for Idle Login Sessions | 48
Login Retry Options | 49
Limiting the Number of User Login Attempts for SSH and Telnet Sessions | 50
Example: Configuring Login Retry Options | 52
iii
-
User Accounts2Junos OS User Accounts | 57
Junos OS User Accounts Overview | 57
Junos-FIPS Crypto Officer and User Accounts Overview | 59
Crypto Officer User Configuration | 60
FIPS User Configuration | 60
Example: Configuring User Accounts | 60
Example: Configuring New Users | 61
Configuring Junos OS User Accounts by Using a Configuration Group | 68
Junos OS Administrative Roles | 71
Understanding Administrative Roles | 72
Example: Configuring Administrative Roles | 74
Configuring a Local Administrator Account | 82
Junos OS User Access Privileges | 83
Understanding Junos OS Access Privilege Levels | 84
Junos OS Login Class Permission Flags | 84
Allowing or Denying Individual Commands for Junos OS Login Classes | 88
Example: Configuring User Permissions with Access Privilege Levels | 89
Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands,Configuration Statements, and Hierarchies | 94
Understanding Regular Expressions | 94
Specifying Regular Expressions | 97
Regular Expressions Operators | 99
Regular Expression Examples | 102
Examples of Defining Access Privileges Using allow-configuration and deny-configurationStatements | 105
Example: Using Additive Logic With Regular Expressions to Specify Access Privileges | 108
Example: Configuring User Permissions with Access Privileges for Operational ModeCommands | 111
Example: Configuring User Permissions with Access Privileges for Configuration Statementsand Hierarchies | 126
iv
-
Passwords for User Access3Root Password | 142
Configuring the Root Password | 142
Example: Configuring a Plain-Text Password for Root Logins | 144
Example: Configuring SSH Authentication for Root Logins | 147
Recovering Root Password | 148
Recovering the Root Password on Routers | 148
Recovering the Root Password on Junos OS with Upgraded FreeBSD | 151
Recovering the Root Password for Junos OS Evolved | 154
Connecting to the Serial Port | 154
Recovering the Root Password | 156
Recovering the Root Password on Switches | 158
Plain-Text Passwords | 161
Changing the Requirements for Junos OS Plain-Text Passwords | 161
Example: Changing the Requirements for Junos OS Plain-Text Passwords | 162
Master Password for Configuration Encryption | 164
Hardening Shared Secrets in Junos OS | 165
Understanding Hardening Shared Secrets | 165
Using Trusted Platform Module to Bind Secrets on SRX Series Devices | 167
Limitations | 168
Configuring Master Encryption Password | 168
Verifying the Status of the TPM | 169
Changing the Master Encryption Password | 169
User Authentication4Junos OS User Authentication Overview | 172
Junos OS User Authentication Methods | 172
Configuring Local User Template Accounts for User Authentication | 173
Configuring Remote Template Accounts for User Authentication | 175
Example: Creating Template Accounts | 176
Understanding Remote Authentication Servers | 180
v
-
Local Password Authentication with Remote Authorization on TACACS+ Server | 181
Authentication Order for RADIUS, TACACS+, and Local Password | 182
Junos OS Authentication Order for RADIUS, TACACS+, and Password Authentication | 182
Using RADIUS or TACACS+ Authentication | 183
Using Local Password Authentication | 183
Order of Authentication Attempts | 184
Configuring the Junos OS Authentication Order for RADIUS, TACACS+, and Local PasswordAuthentication | 189
Example: Configuring Authentication Order | 191
Example: Configuring System Authentication for RADIUS, TACACS+, and PasswordAuthentication | 194
RADIUS Authentication | 197
Configuring RADIUS Server Authentication | 197
Why Use RADIUS | 198
Configuring RADIUS Server Details | 198
Configuring RADIUS To Use the Management Instance | 202
Example: Configuring a RADIUS Server for System Authentication | 203
Example: Configuring RADIUS Authentication | 206
Configuring RADIUS Authentication (QFX Series or OCX Series) | 208
Configuring RADIUS Server Details | 209
Configuring MS-CHAPv2 for Password-Change Support | 210
Specifying a Source Address for the Junos OS to Access External RADIUS Servers | 211
Juniper Networks Vendor-Specific RADIUS Attributes | 211
Juniper-Switching-Filter VSA Match Conditions and Actions | 215
Understanding RADIUS Accounting | 218
Configuring RADIUS System Accounting | 219
Configuring Auditing of User Events on a RADIUS Server | 219
Specifying RADIUS Server Accounting and Auditing Events | 220
Configuring RADIUS Server Accounting | 220
RADIUS over TLS (RADSEC) | 223
Configure the RADSEC Destination | 224
Configure TLS Connection Parameters | 225
Example: Simple RADSEC Configuration | 226
vi
-
Monitoring Certificates | 226
Monitoring RADSEC Destinations | 227
TACACS+ Authentication | 227
Configuring TACACS+ Authentication | 228
Configuring TACACS+ Server Details | 228
Configuring TACACS+ to Use the Management Instance | 230
Specifying a Source Address for the Junos OS to Access External TACACS+ Servers | 230
Configuring the Same Authentication Service for Multiple TACACS+ Servers | 231
Configuring Juniper Networks Vendor-Specific TACACS+ Attributes | 231
Example: Configuring a TACACS+ Server for System Authentication | 232
Configuring Periodic Refresh of the TACACS+ Authorization Profile | 235
Using Regular Expressions on a RADIUS or TACACS+ Server to Allow or Deny Access toCommands | 237
Juniper Networks Vendor-Specific TACACS+ Attributes | 240
Configuring TACACS+ System Accounting | 242
Specifying TACACS+ Auditing and Accounting Events | 243
Configuring TACACS+ Server Accounting | 243
Configuring TACACS+ To Use the Management Instance | 245
Configuring TACACS+ Accounting on a TX Matrix Router | 246
Authentication for Routing Protocols | 247
Junos OS Authentication Methods for Routing Protocols | 247
Example: Configuring the Authentication Key for BGP and IS-IS Routing Protocols | 248
Configuring BGP | 248
Configuring IS-IS | 249
Configuring the Authentication Key Update Mechanism for BGP and LDP RoutingProtocols | 250
Configuring Authentication Key Updates | 251
Configuring BGP and LDP for Authentication Key Updates | 251
Remote Access Management5Remote Access Overview | 254
System Services Overview | 254
Configuring Telnet Service for Remote Access to a Router or Switch | 255
Configuring FTP Service for Remote Access to the Router or Switch | 256
vii
-
Configuring Finger Service for Remote Access to the Router | 257
Configuring SSH Service for Remote Access to the Router or Switch | 257
Configuring the Root Login Through SSH | 259
Configuring Incoming SFTP Connections | 260
Configuring the SSH Protocol Version | 260
Configuring the Client Alive Mechanism | 261
Configuring the SSH Fingerprint Hash Algorithm | 261
The telnet Command | 262
The ssh Command | 263
Configuring SSH Host Keys for Secure Copying of Data | 264
Configuring SSH Known Hosts | 265
Configuring Support for SCP File Transfer | 266
Updating SSH Host Key Information | 266
Configuring the SSH Service to Support Legacy Cryptography | 268
Configuring Outbound SSH Service | 270
Configuring the Device Identifier for Outbound SSH Connections | 271
Sending the Public SSH Host Key to the Outbound SSH Client | 271
Configuring Keepalive Messages for Outbound SSH Connections | 272
Configuring a New Outbound SSH Connection | 273
Configuring the Outbound SSH Client to Accept NETCONF as an Available Service | 273
Configuring Outbound SSH Clients | 273
Configuring Routing Instances for Outbound SSH Clients | 274
Configuring NETCONF-Over-SSH Connections on a Specified TCP Port | 274
Configuring Password Retry Limits for Telnet and SSH Access | 275
Example: Configuring a Filter to Block Telnet and SSH Access | 276
USB Modems for Remote Management of Security Devices | 284
USB Modem Interface Overview | 284
USB Modem Interfaces | 285
Dialer Interface Rules | 285
How the Device Initializes USB Modems | 286
USB Modem Configuration Overview | 287
Example: Configuring a USB Modem Interface | 290
Example: Configuring a Dialer Interface | 293
viii
-
Example: Configuring a Dialer Interface for USB Modem Dial-In | 298
Configuring a Dial-Up Modem Connection Remotely | 300
Connecting to the Device Remotely | 302
Modifying USB Modem Initialization Commands | 302
Resetting USB Modems | 303
Secure Web Access for Remote Management | 304
Secure Web Access Overview | 304
Generating SSL Certificates for Secure Web Access (SRX Series Devices) | 305
Generating SSL Certificates to Be Used for Secure Web Access (EX Series Switch) | 306
Generating a Self-Signed SSL Certificate Automatically | 307
Manually Generating Self-Signed SSL Certificates | 307
Deleting Self-Signed Certificates (CLI Procedure) | 308
Understanding Self-Signed Certificates on EX Series Switches | 308
Manually Generating Self-Signed Certificates on Switches (CLI Procedure) | 310
Generating a Public-Private Key Pair on Switches | 310
Generating Self-Signed Certificates on Switches | 311
Example: Configuring Secure Web Access | 311
Example: Controlling Management Access on SRX Series Devices | 314
Configuration Guidelines for Securing Console Port Access | 319
Securing Console Port | 319
Securing Mini-USB Ports | 321
Configuring the Console Port Type (CLI Procedure) | 322
Access Control on Switches6Access Control and Authentication on Switching Devices | 326
Understanding Authentication on Switches | 326
Sample Authentication Topology | 327
802.1X Authentication | 329
MAC RADIUS Authentication | 330
Captive Portal Authentication | 331
Static MAC Bypass of Authentication | 331
ix
-
Fallback of Authentication Methods | 332
Understanding Access Control on Switches | 333
Understanding Authentication Session Timeout | 335
Controlling Authentication Session Timeouts (CLI Procedure) | 336
Preventing Unauthorized Access to EX Series Switches Using Unattended Mode forU-Boot | 338
Understanding Unattended Mode for U-Boot on EX Series Switches | 338
Using Unattended Mode for U-Boot to Prevent Unauthorized Access | 340
Configuring the Boot Loader Password | 341
Configuring Unattended Mode for U-Boot | 342
Accessing the U-Boot CLI | 342
RADIUS Server Configuration for Authentication | 343
Specifying RADIUS Server Connections on Switches (CLI Procedure) | 344
Configuring MS-CHAPv2 to Provide Password-Change Support (CLI Procedure) | 345
Configuring MS-CHAPv2 for Password-Change Support | 346
Understanding Server Fail Fallback and Authentication on Switches | 348
Configuring RADIUS Server Fail Fallback (CLI Procedure) | 349
802.1X Authentication | 351
802.1X for Switches Overview | 352
How 802.1X Authentication Works | 352
802.1X Features Overview | 353
802.1X Authentication on Trunk Ports | 354
Configuring 802.1X Interface Settings (CLI Procedure) | 355
Understanding RADIUS-Initiated Changes to an Authorized User Session | 357
Disconnect Messages | 357
Change of Authorization Messages | 358
CoA Request Port Bounce | 358
Error-Cause Codes | 359
Filtering 802.1X Supplicants by Using RADIUS Server Attributes | 360
Configuring Firewall Filters on the RADIUS Server | 361
Applying a Locally Configured Firewall Filter from the RADIUS Server | 364
Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch | 365
Understanding Dynamic Filters Based on RADIUS Attributes | 370
x
-
Understanding Dynamic VLAN Assignment Using RADIUS Attributes | 371
Understanding Guest VLANs for 802.1X on Switches | 372
Example: Configuring 802.1X AuthenticationOptionsWhen the RADIUS Server Is Unavailableto an EX Series Switch | 373
Example: Configuring Fallback Options on EX Series Switches for EAP-TTLS Authenticationand Odyssey Access Clients | 379
Monitoring 802.1X Authentication | 385
Verifying 802.1X Authentication | 386
Troubleshooting Authentication of End Devices on EX Series Switches | 388
MAC RADIUS Authentication | 390
Configuring MAC RADIUS Authentication (CLI Procedure) | 391
Example: Configuring MAC RADIUS Authentication on an EX Series Switch | 392
802.1X and RADIUS Accounting | 399
Understanding 802.1X and RADIUS Accounting on Switches | 400
RADIUS Accounting Process | 400
Supported RADIUS Attributes | 401
Configuring 802.1X RADIUS Accounting (CLI Procedure) | 403
Example: SettingUp802.1X for Single-Supplicant orMultiple-Supplicant Configurationson an EX Series Switch | 405
Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access toCorporate Visitors on an EX Series Switch | 413
Interfaces Enabled for 802.1X or MAC RADIUS Authentication | 420
Example: Applying a Firewall Filter to 802.1X-Authenticated Supplicants by Using RADIUSServer Attributes on an EX Series Switch | 420
Example: Applying Firewall Filters to Multiple Supplicants on Interfaces Enabled for 802.1Xor MAC RADIUS Authentication | 428
Example: Applying Firewall Filters to Multiple Supplicants on Interfaces Enabled for 802.1Xor MAC RADIUS Authentication on EX Series Switches with ELS Support | 435
Static MAC Bypass of 802.1X and MAC RADIUS Authentication | 441
Configuring Static MAC Bypass of 802.1X and MAC RADIUS Authentication (CLIProcedure) | 442
Example: Configuring Static MAC Bypass of 802.1X and MAC RADIUS Authentication on anEX Series Switch | 443
xi
-
Captive Portal Authentication | 449
Example: Setting Up Captive Portal Authentication on an EX Series Switch | 449
Configuring Captive Portal Authentication (CLI Procedure) | 456
Configuring Secure Access for Captive Portal | 456
Enabling an Interface for Captive Portal | 457
Configuring Bypass of Captive Portal Authentication | 457
Designing a Captive Portal Authentication Login Page on Switches | 458
Configuring Captive Portal Authentication (CLI Procedure) on an EX Series Switche with ELSSupport | 461
Configuring Secure Access for Captive Portal | 462
Enabling an Interface for Captive Portal | 462
Configuring Bypass of Captive Portal Authentication | 463
Example: Setting Up Captive Portal Authentication on an EX Series Switch with ELSSupport | 463
Flexible Authentication Order on EX Series Switches | 469
Configuring Flexible Authentication Order | 470
Configuring EAPoL Block to Maintain an Existing Authentication Session | 472
Central Web Authentication | 474
Understanding Central Web Authentication | 474
Central Web Authentication Process | 475
Dynamic Firewall Filters for Central Web Authentication | 476
Redirect URL for Central Web Authentication | 477
Configuring Central Web Authentication | 477
Configuring Dynamic Firewall Filters for Central Web Authentication | 478
Configuring the Redirect URL for Central Web Authentication | 479
Guidelines for Configuring Central Web Authentication | 480
Centralized Access Control to Network Resources on EX Series Switches | 481
Understanding Centralized Network Access Control and EX Series Switches | 481
NAC Using Any RADIUS Server and Access Polices Defined on the Local Switch | 482
Centralized NAC Using Junos Pulse Access Control Service | 482
xii
-
Captive Portal Authentication | 483
Configuring an EX Series Switch to Use Junos Pulse Access Control Service for Network AccessControl (CLI Procedure) | 484
OBSOLETE: Configuring the EX Series Switch for Captive Portal Authentication with JunosPulse Access Control Service (CLI Procedure) | 488
VoIP on EX Series Switches | 489
Understanding 802.1X and VoIP on EX Series Switches | 489
Multi Domain 802.1X Authentication | 491
Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX Series Switch | 492
Example: Configuring VoIP on an EX Series Switch Without Including LLDP-MED Support | 501
Example: Configuring VoIP on an EX Series Switch Without Including LLDP-MED Support | 508
Example: Configuring VoIP on an EX Series Switch Without Including 802.1XAuthentication | 514
Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX Series Switch with ELSSupport | 522
Configuring IEEE 802.1x Port-Based Network Access Control7IEEE 802.1x Port-Based Network Access Control Overview | 534
Understanding the Administrative State of the Authenticator Port | 535
Understanding the Administrative Mode of the Authenticator Port | 535
Configuring the Authenticator | 536
Viewing the dot1x Configuration | 537
Configuring IEEE 802.1x Port-Based Network Access Control in EnhancedLANMode8
802.1X for MX Series Routers in Enhanced LANMode Overview | 540
How 802.1X Authentication Works | 541
802.1X Features Overview | 543
Supported Features Related to 802.1X Authentication | 543
Understanding 802.1X and LLDP and LLDP-MED on MX Series Routers in EnhancedLANMode | 544
Understanding 802.1X andRADIUSAccounting onMXSeries Routers in Enhanced LANMode | 547
Understanding 802.1X and VoIP on MX Series Routers in Enhanced LANMode | 548
xiii
-
Understanding Guest VLANs for 802.1X on MX Series Routers in Enhanced LANMode | 551
Understanding Dynamic VLANs for 802.1X on MX Series Routers in Enhanced LANMode | 551
UnderstandingServer Fail Fallback andAuthenticationonMXSeriesRouters in EnhancedLANMode | 552
Configuring 802.1X RADIUS Accounting on MX Series Routers in Enhanced LANMode | 553
Configuring 802.1X Interface Settings onMXSeries Routers in Enhanced LANMode | 556
Configuring LLDP-MED on MX Series Routers in Enhanced LANMode | 558
Enabling LLDP-MED on Interfaces | 558
Configuring Location Information Advertised by the Router | 558
Configuring for Fast Start | 559
Configuring LLDP on MX Series Routers in Enhanced LANMode | 560
Enabling LLDP on Interfaces | 560
Adjusting LLDP Advertisement Settings | 561
Adjusting SNMP Notification Settings of LLDP Changes | 562
Specifying a Management Address for the LLDP Management TLV | 563
Configuring Server Fail Fallback on MX Series Routers in Enhanced LANMode | 564
Understanding Captive Portal Authentication on the MX Series Routers | 566
Limitations of Captive Portal | 566
Understanding Authentication Session Timeout on MX Series Routers | 567
Authentication Process Flow for MX Series Routers in Enhanced LANMode | 568
Specifying RADIUS Server Connections on an MX Series Router in Enhanced LANMode | 570
Configuring Captive Portal Authentication on MX Series Routers in Enhanced LANMode | 571
Configuring Secure Access for Captive Portal | 572
Enabling an Interface for Captive Portal | 573
Configuring Bypass of Captive Portal Authentication | 573
xiv
-
Designing a Captive Portal Authentication Login Page on an MX Series Router | 574
Configuring Static MAC Bypass of Authentication on MX Series Routers in EnhancedLANMode | 577
Controlling Authentication Session Timeouts on anMX Series Router in Enhanced LANMode | 578
Configuring MAC RADIUS Authentication on MX Series Routers in Enhanced LANMode | 580
Example: Configuring MAC RADIUS Authentication on an MX Series Router | 582
Example: Setting Up Captive Portal Authentication on an MX Series Router | 587
Example: Connecting a RADIUS Server for 802.1X to an MX Series Router | 594
Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access toCorporate Visitors on an MX Series Router | 598
Example: Configuring Static MAC Bypass of Authentication on anMX Series Router | 602
Example: Applying Firewall Filters to Multiple Supplicants on Interfaces Enabled for802.1X or MAC RADIUS Authentication on MX Series Routers | 607
Device Discovery9Device Discovery Using LLDP and LLDP-MED on Switches | 615
Understanding LLDP | 615
Configuring LLDP (CLI Procedure) | 616
Enabling LLDP on Interfaces | 617
Adjusting LLDP Advertisement Settings | 617
Adjusting SNMP Notification Settings of LLDP Changes | 618
Specifying a Management Address for the LLDP Management TLV | 619
Configuring LLDP Power Negotiation | 619
Disabling LLDP TLVs | 620
Configuring LLDP (J-Web Procedure) | 622
Understanding LLDP and LLDP-MED on EX Series Switches | 623
Benefits of LLDP and LLDP-MED | 623
LLDP and LLDP-MED Overview | 624
Supported LLDP TLVs | 624
Supported LLDP-MED TLVs | 626
xv
-
Disabling TLVs | 627
Configuring LLDP-MED (CLI Procedure) | 627
Enabling LLDP-MED on Interfaces | 627
Configuring Location Information Advertised by the Switch | 628
Configuring a Fast Start for LLDP-MED | 628
Disabling LLDP-MED TLVs | 629
NetBIOS Snooping on EX Series Switches | 631
Understanding NetBIOS Snooping | 631
What Is a NetBIOS Name? | 631
How NetBIOS Snooping Works | 632
Configuring NetBIOS Snooping (CLI Procedure) | 632
Enabling NetBIOS Snooping | 633
Disabling NetBIOS Snooping | 633
Domain Name Security10DNSSEC Overview | 635
Configuring the TTL Value for DNS Server Caching | 635
Example: Configuring DNSSEC | 637
Example: Configuring Secure Domains and Trusted Keys for DNSSEC | 638
Example: Configuring Keys for DNSSEC | 640
DNS Proxy Overview | 641
DNS Proxy Cache | 641
DNS Proxy with Split DNS | 642
Dynamic Domain Name System Client | 644
Configuring the Device as a DNS Proxy | 646
Permission Flags11access | 652
access-control | 657
admin | 658
admin-control | 664
xvi
-
all-control | 665
clear | 666
configure | 767
control | 768
field | 769
firewall | 770
firewall-control | 775
floppy | 776
flow-tap | 777
flow-tap-control | 782
flow-tap-operation | 783
idp-profiler-operation | 784
interface | 784
interface-control | 790
maintenance | 791
network | 804
pgcp-session-mirroring | 807
pgcp-session-mirroring-control | 812
reset | 812
rollback | 814
routing | 814
routing-control | 825
secret | 831
secret-control | 837
security | 839
xvii
-
security-control | 849
shell | 854
snmp | 855
snmp-control | 860
system | 861
system-control | 869
trace | 871
trace-control | 883
view | 890
view-configuration | 1040
Configuration Statements12accounting (System) | 1048
accounting-order | 1050
accounting-port (RADIUS Server) | 1051
accounting-server | 1052
address-protection | 1054
algorithm (Authentication Keychain) | 1056
archival | 1057
authentication-key-chains | 1059
authentication-order (System) | 1061
authentication-order (Authenticator) | 1063
authentication-protocol | 1066
authentication-whitelist | 1068
authenticator | 1070
boot-loader-authentication | 1073
xviii
-
boot-server (NTP) | 1075
boot-server (NTP) | 1076
broadcast | 1078
broadcast | 1080
broadcast-client | 1081
broadcast-client | 1082
ca-type | 1083
captive-portal | 1085
civic-based | 1087
class (Defining Login Classes) | 1089
connection-limit | 1100
custom-options | 1102
description (Authentication Keychain) | 1105
destination (Accounting) | 1106
destination (Accounting) | 1108
destination (RADSEC) | 1110
detection-time | 1112
disable (DNSSEC) | 1113
dlv | 1114
dot1x | 1115
eapol-block | 1118
enhanced-avs-max | 1120
events | 1121
failover-delay | 1122
file (System Logging) | 1123
xix
-
file (System Logging) | 1125
finger | 1127
flow-tap-dtcp | 1128
ftp | 1129
host (SSH Known Hosts) | 1130
hostkey-algorithm | 1132
http (Web Management) | 1134
https (Web Management) | 1135
interface (802.1X) | 1137
interface (Captive Portal) | 1145
interface (LLDP) | 1148
interface (LLDP-MED) | 1151
interface (VoIP) | 1153
interface-description-format | 1155
interfaces (ARP) | 1157
interfaces (Security Zones) | 1158
key (Authentication Keychain) | 1159
key-chain (Security) | 1161
key-exchange | 1163
lldp | 1165
lldp-med (Ethernet Switching) | 1173
lldp-priority | 1175
local-certificate | 1176
location (LLDP-MED) | 1177
location (System) | 1179
xx
-
login | 1181
mac-radius | 1186
master-password | 1188
method | 1190
multi-domain | 1192
multicast-client | 1194
multicast-client | 1195
nas-port-extended-format | 1196
nas-port-id-format (Subscriber Management) | 1198
nas-port-type (Subscriber Management) | 1200
ntp | 1202
options (Security) | 1205
outbound-ssh | 1206
password (Login) | 1209
password-options | 1215
peer (NTP) | 1216
port (NETCONF) | 1217
port (RADIUS Server) | 1218
port (SRC Server) | 1219
port (TACACS+ Server) | 1220
profile | 1221
profilerd | 1223
provisioning-order (Diameter Applications) | 1224
proxy | 1225
radius (System) | 1226
xxi
-
radius-options (System) | 1227
radius-server | 1229
radius-server | 1231
radius-server (System) | 1233
radsec | 1234
radsec-destination | 1236
rate-limit | 1237
regex-additive-logic | 1239
remote-debug-permission | 1240
retry | 1241
retry (RADIUS) | 1242
retry-options | 1243
revert-interval (Access) | 1245
root-authentication | 1246
routing-engine-profile | 1248
routing-instance | 1249
routing-instance (Accounting and Authentication) | 1250
secret (RADIUS or TACACS+ Server) | 1252
server (NTP) | 1254
server (DNS, Port, and TFTP Service) | 1256
server (RADIUS Accounting) | 1258
server (TACACS+ Accounting) | 1259
server-reject-bridge-domain | server-reject-vlan | 1260
servers | 1262
service (Service Accounting) | 1263
xxii
-
service-deployment | 1264
services (Switches) | 1265
session (Web Management) | 1266
single-connection | 1267
sip-server | 1268
source-address (NTP, RADIUS, System Logging, or TACACS+) | 1269
source-address (SRC Software) | 1270
ssh (System Services) | 1271
ssh-known-hosts | 1279
ssh-known-hosts | 1280
ssl-renegotiation | 1281
start-time (Authentication Key Transmission) | 1282
static (802.1X) | 1284
static-subscribers | 1285
statistics-service | 1286
subscriber-management-helper | 1287
tacplus | 1288
tacplus | 1289
tacplus-options | 1291
tacplus-server | 1294
telnet | 1296
tftp | 1297
timeout (System) | 1298
timeout-action (Access Control Service) | 1299
tlv-filter | 1300
xxiii
-
tlv-select | 1303
traceoptions (802.1X) | 1306
traceoptions (DNS, Port, and TFTP Packet Forwarding) | 1308
traceoptions (LLDP) | 1311
traceoptions (Outbound SSH) | 1314
traceoptions (SBC Configuration Process) | 1316
traceoptions (Security) | 1318
trusted-key | 1320
uac-policy | 1321
uac-service | 1322
uac-service | 1323
unattended-boot | 1324
usb-control | 1325
user (Access) | 1326
voip | 1329
vpn (Forwarding Options) | 1330
watchdog | 1331
web-management (System Services) | 1332
web-management (System Processes) | 1336
xnm-clear-text | 1337
xnm-ssl | 1338
Operational Commands13clear accounting server statistics archival-transfer | 1344
clear captive-portal | 1345
clear dot1x | 1348
xxiv
-
clear lldp neighbors | 1351
clear lldp statistics | 1352
clear lldp neighbors | 1353
clear lldp statistics | 1354
clear network-access radsec state | 1355
clear network-access radsec statistics | 1356
clear security pki local-certificate | 1357
clear security ssh key-pair-identity | 1359
clear system login lockout | 1360
request component login | 1361
request ipsec switch | 1364
request message | 1365
request security certificate enroll (Signed) | 1367
request security certificate enroll (Unsigned) | 1369
request security key-pair | 1371
request security pki generate-key-pair | 1373
request security pki local-certificate generate-self-signed | 1375
request security ssh key-pair-identity generate | 1377
request security tpm master-encryption-password set | 1379
request system autorecovery state | 1381
request system decrypt password | 1384
request system download abort | 1386
request system download clear | 1388
request system download pause | 1389
request system download resume | 1391
xxv
-
request system download start | 1393
request system firmware upgrade | 1395
request system license update | 1397
request system reboot | 1399
request system reboot (SRX Series) | 1409
request system snapshot (Maintenance) | 1411
request system software abort in-service-upgrade (ICU) | 1415
request system software add (Maintenance) | 1417
request system software rollback (SRX Series) | 1418
request system zeroize | 1419
show accounting server statistics archival-transfer | 1421
show captive-portal authentication-failed-users | 1422
show captive-portal firewall | 1424
show captive-portal interface | 1427
show chassis routing-engine (View) | 1431
show dot1x | 1437
show dot1x accounting attribute | 1444
show dot1x authentication-failed-users | 1447
show dot1x firewall | 1449
show dot1x static-mac-address | 1451
show dot1x statistics | 1453
show ethernet-switching interface | 1456
show ethernet-switching interfaces | 1460
show firewall (View) | 1470
show lldp | 1473
xxvi
-
show lldp local-information | 1481
show lldp neighbors | 1484
show lldp neighbors | 1490
show lldp remote-global-statistics | 1498
show lldp statistics | 1500
show lldp statistics | 1502
show network-access aaa statistics accounting | 1505
show network-access aaa statistics authentication | 1507
show network-access aaa statistics dynamic-requests | 1509
show network-access radsec local-certificate | 1511
show network-access radsec statistics | 1514
show network-access radsec state | 1517
show route extensive | 1520
show route instance | 1546
show security ssh key-pair-identity | 1551
show security pki local-certificate | 1553
show security tpm status | 1557
show services unified-access-control authentication-table | 1559
show services unified-access-control policies | 1562
show services unified-access-control status | 1565
show snmp | 1566
show snmp statistics | 1569
show ssl-certificates | 1577
show system autorecovery state | 1580
show system download | 1582
xxvii
-
show system license (View) | 1584
show system login lockout | 1588
show system services service-deployment | 1590
show system snapshot media | 1592
show system storage partitions | 1595
show system users | 1599
ssh | 1605
telnet | 1608
test access profile | 1611
test access radius-server | 1616
xxviii
-
About the Documentation
IN THIS SECTION
Documentation and Release Notes | xxix
Using the Examples in This Manual | xxix
Documentation Conventions | xxxi
Documentation Feedback | xxxiv
Requesting Technical Support | xxxiv
The Junos operating system (Junos OS) enables you to configure user access and authentication featuresat the [edit system] hierarchy level of the CLI. Essential user access features include login classes, useraccounts, access privilege levels, and user authenticationmethods. Use the topics on this page to configureessential user access features for your system.
Documentation and Release Notes
To obtain the most current version of all Juniper Networks® technical documentation, see the productdocumentation page on the Juniper Networks website at https://www.juniper.net/documentation/.
If the information in the latest release notes differs from the information in the documentation, follow theproduct Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts.These books go beyond the technical documentation to explore the nuances of network architecture,deployment, and administration. The current list can be viewed at https://www.juniper.net/books.
Using the Examples in This Manual
If you want to use the examples in this manual, you can use the load merge or the load merge relativecommand. These commands cause the software to merge the incoming configuration into the currentcandidate configuration. The example does not become active until you commit the candidate configuration.
xxix
https://www.juniper.net/documentation/https://www.juniper.net/books
-
If the example configuration contains the top level of the hierarchy (or multiple hierarchies), the exampleis a full example. In this case, use the load merge command.
If the example configuration does not start at the top level of the hierarchy, the example is a snippet. Inthis case, use the loadmerge relative command. These procedures are described in the following sections.
Merging a Full Example
To merge a full example, follow these steps:
1. From the HTML or PDF version of the manual, copy a configuration example into a text file, save thefile with a name, and copy the file to a directory on your routing platform.
For example, copy the following configuration to a file and name the file ex-script.conf. Copy theex-script.conf file to the /var/tmp directory on your routing platform.
system {scripts {commit {file ex-script.xsl;
}}
}interfaces {fxp0 {disable;unit 0 {family inet {address 10.0.0.1/24;
}}
}}
2. Merge the contents of the file into your routing platform configuration by issuing the load mergeconfiguration mode command:
[edit]user@host# load merge /var/tmp/ex-script.confload complete
xxx
-
Merging a Snippet
To merge a snippet, follow these steps:
1. From the HTML or PDF version of the manual, copy a configuration snippet into a text file, save thefile with a name, and copy the file to a directory on your routing platform.
For example, copy the following snippet to a file and name the file ex-script-snippet.conf. Copy theex-script-snippet.conf file to the /var/tmp directory on your routing platform.
commit {file ex-script-snippet.xsl; }
2. Move to the hierarchy level that is relevant for this snippet by issuing the following configurationmodecommand:
[edit]user@host# edit system scripts[edit system scripts]
3. Merge the contents of the file into your routing platform configuration by issuing the load mergerelative configuration mode command:
[edit system scripts]user@host# load merge relative /var/tmp/ex-script-snippet.confload complete
For more information about the load command, see CLI Explorer.
Documentation Conventions
Table 1 on page xxxii defines notice icons used in this guide.
xxxi
https://www.juniper.net/techpubs/content-applications/cli-explorer/junos/
-
Table 1: Notice Icons
DescriptionMeaningIcon
Indicates important features or instructions.Informational note
Indicates a situation that might result in loss of data or hardwaredamage.
Caution
Alerts you to the risk of personal injury or death.Warning
Alerts you to the risk of personal injury from a laser.Laser warning
Indicates helpful information.Tip
Alerts you to a recommended use or implementation.Best practice
Table 2 on page xxxii defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
ExamplesDescriptionConvention
To enter configuration mode, typethe configure command:
user@host> configure
Represents text that you type.Bold text like this
user@host> show chassis alarms
No alarms currently active
Represents output that appears onthe terminal screen.
Fixed-width text like this
• A policy term is a named structurethat defines match conditions andactions.
• Junos OS CLI User Guide
• RFC 1997, BGP CommunitiesAttribute
• Introduces or emphasizes importantnew terms.
• Identifies guide names.
• Identifies RFC and Internet drafttitles.
Italic text like this
xxxii
-
Table 2: Text and Syntax Conventions (continued)
ExamplesDescriptionConvention
Configure the machine’s domainname:
[edit]root@# set system domain-namedomain-name
Represents variables (options forwhich you substitute a value) incommands or configurationstatements.
Italic text like this
• To configure a stub area, includethe stub statement at the [editprotocols ospf area area-id]hierarchy level.
• The console port is labeledCONSOLE.
Represents names of configurationstatements, commands, files, anddirectories; configuration hierarchylevels; or labels on routing platformcomponents.
Text like this
stub ;Encloses optional keywords orvariables.
< > (angle brackets)
broadcast | multicast
(string1 | string2 | string3)
Indicates a choice between themutually exclusive keywords orvariables on either side of the symbol.The set of choices is often enclosedin parentheses for clarity.
| (pipe symbol)
rsvp { # Required for dynamic MPLSonly
Indicates a comment specified on thesame line as the configurationstatement to which it applies.
# (pound sign)
community name members [community-ids ]
Encloses a variable for which you cansubstitute one or more values.
[ ] (square brackets)
[edit]routing-options {static {route default {nexthop address;retain;
}}
}
Identifies a level in the configurationhierarchy.
Indention and braces ( { } )
Identifies a leaf statement at aconfiguration hierarchy level.
; (semicolon)
GUI Conventions
xxxiii
-
Table 2: Text and Syntax Conventions (continued)
ExamplesDescriptionConvention
• In the Logical Interfaces box, selectAll Interfaces.
• To cancel the configuration, clickCancel.
Represents graphical user interface(GUI) items you click or select.
Bold text like this
In the configuration editor hierarchy,select Protocols>Ospf.
Separates levels in a hierarchy ofmenu selections.
> (bold right angle bracket)
Documentation Feedback
We encourage you to provide feedback so that we can improve our documentation. You can use eitherof the following methods:
• Online feedback system—Click TechLibrary Feedback, on the lower right of any page on the JuniperNetworks TechLibrary site, and do one of the following:
• Click the thumbs-up icon if the information on the page was helpful to you.
• Click the thumbs-down icon if the information on the page was not helpful to you or if you havesuggestions for improvement, and use the pop-up form to provide feedback.
• E-mail—Send your comments to techpubs-comments@juniper.net. Include the document or topic name,URL or page number, and software version (if applicable).
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC).If you are a customer with an active Juniper Care or Partner Support Services support contract, or are
xxxiv
https://www.juniper.net/documentation/index.htmlhttps://www.juniper.net/documentation/index.htmlmailto:techpubs-comments@juniper.net?subject=
-
covered under warranty, and need post-sales technical support, you can access our tools and resourcesonline or open a case with JTAC.
• JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTACUserGuide located at https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
• Productwarranties—For productwarranty information, visit https://www.juniper.net/support/warranty/.
• JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week,365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online self-service portal calledthe Customer Support Center (CSC) that provides you with the following features:
• Find CSC offerings: https://www.juniper.net/customers/support/
• Search for known bugs: https://prsearch.juniper.net/
• Find product documentation: https://www.juniper.net/documentation/
• Find solutions and answer questions using our Knowledge Base: https://kb.juniper.net/
• Download the latest versions of software and review release notes:https://www.juniper.net/customers/csc/software/
• Search technical bulletins for relevant hardware and software notifications:https://kb.juniper.net/InfoCenter/
• Join and participate in the Juniper Networks Community Forum:https://www.juniper.net/company/communities/
• Create a service request online: https://myjuniper.juniper.net
To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool:https://entitlementsearch.juniper.net/entitlementsearch/
Creating a Service Request with JTAC
You can create a service request with JTAC on the Web or by telephone.
• Visit https://myjuniper.juniper.net.
• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, seehttps://support.juniper.net/support/requesting-support/.
xxxv
https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdfhttps://www.juniper.net/support/warranty/https://www.juniper.net/customers/support/https://prsearch.juniper.net/https://www.juniper.net/documentation/https://kb.juniper.net/https://www.juniper.net/customers/csc/software/https://kb.juniper.net/InfoCenter/https://www.juniper.net/company/communities/https://myjuniper.juniper.nethttps://entitlementsearch.juniper.net/entitlementsearch/https://myjuniper.juniper.nethttps://support.juniper.net/support/requesting-support/
-
1CHAPTER
Login Classes and Login Settings
Junos OS Login Classes Overview | 37
Junos OS Login Settings | 43
-
Junos OS Login Classes Overview
IN THIS SECTION
Junos OS Login Classes Overview | 37
Defining Junos OS Login Classes | 41
Example: Creating Login Classes with Specific Privileges | 42
Junos OS login classes allow you to define access privileges, permission for using CLI commands andstatements, and session idle time for each login class. You can apply a login class to an individual useraccount, thereby specifying certain privileges and permissions to the user. Read this topic for moreinformation.
Junos OS Login Classes Overview
All users who can log in to the router or switch must be in a login class. With login classes, you define thefollowing:
• Access privileges that users have when they are logged in to the router or switch
• Commands and statements that users can and cannot specify
• How long a login session can be idle before it times out and the user is logged out
You can define any number of login classes and then apply one login class to an individual user account.
The Junos operating system (Junos OS) contains a few predefined login classes, which are listed inTable 3 on page 37. The predefined login classes cannot be modified.
Table 3: Predefined System Login Classes
Permission Flag SetLogin Class
clear, network, reset, trace, and viewoperator
viewread-only
allsuperuser or super-user
37
-
Table 3: Predefined System Login Classes (continued)
Permission Flag SetLogin Class
Noneunauthorized
NOTE:• You cannotmodify a predefined login class name. If you issue the set command on a predefinedclass name, the Junos OS appends -local to the login class name. The following message alsoappears:
warning: '' is a predefined class name; changing to '-local'
• You cannot issue the rename or copy command on a predefined login class. Doing so resultsin the following error message:
error: target '' is a predefined class
Permission Bits
Each top-level CLI command and each configuration statement has an access privilege level associatedwith it. Users can execute only those commands and configure and view only those statements for whichthey have access privileges. The access privileges for each login class are defined by one ormore permissionbits (see Table 4 on page 38).
Two forms for the permissions control the individual parts of the configuration:
• "Plain" form—Provides read-only capability for that permission type. An example is interface.
• Form that ends in -control—Provides read and write capability for that permission type. An example isinterface-control.
Table 4: Permission Bits for Login Classes
AccessPermission Bit
Can view user account information in configuration mode and with the showconfiguration command.
admin
Can view user accounts and configure them (at the [edit system login] hierarchylevel).
admin-control
38
-
Table 4: Permission Bits for Login Classes (continued)
AccessPermission Bit
Can view the access configuration in configuration mode and with the showconfiguration operational mode command.
access
Can view and configure access information (at the [edit access] hierarchy level).access-control
Has all permissions.all
Can clear (delete) information learned from the network that is stored in variousnetwork databases (using the clear commands).
clear
Can enter configuration mode (using the configure command) and commitconfigurations (using the commit command).
configure
Can perform all control-level operations (all operations configuredwith the -controlpermission bits).
control
Reserved for field (debugging) support.field
Can view the firewall filter configuration in configuration mode.firewall
Can view and configure firewall filter information (at the [edit firewall] hierarchylevel).
firewall-control
Can read from and write to the removable media.floppy
Can view the interface configuration in configuration mode and with the showconfiguration operational mode command.
interface
Can view chassis, class of service, groups, forwarding options, and interfacesconfiguration information. Can configure chassis, class of service, groups,forwarding options, and interfaces (at the [edit] hierarchy).
interface-control
Can perform system maintenance, including starting a local shell on the deviceand becoming the superuser in the shell (by issuing the su root command), andcan halt and reboot the device (using the request system commands).
maintenance
Can access the network by entering the ping, ssh, telnet, and traceroute commands.network
Can restart software processes using the restart command and can configurewhether software processes are enabled or disabled (at the [edit systemprocesses]hierarchy level).
reset
39
-
Table 4: Permission Bits for Login Classes (continued)
AccessPermission Bit
Can use the rollback command to return to a previously committed configurationother than the most recently committed one.
rollback
Can view general routing, routing protocol, and routing policy configurationinformation in configuration and operational modes.
routing
Can view general routing, routing protocol, and routing policy configurationinformation and configure general routing (at the [edit routing-options] hierarchylevel), routing protocols (at the [edit protocols] hierarchy level), and routing policy(at the [edit policy-options] hierarchy level).
routing-control
Can view passwords and other authentication keys in the configuration.secret
Can view passwords and other authentication keys in the configuration and canmodify them in configuration mode.
secret-control
Can view security configuration in configuration mode and with the showconfiguration operational mode command.
security
Can view and configure security information (at the [edit security] hierarchy level).security-control
Can start a local shell on the device by entering the start shell command.shell
Can view SNMP configuration information in configuration and operational modes.snmp
Can view SNMP configuration information and configure SNMP (at the [edit snmp]hierarchy level).
snmp-control
Can view system-level information in configuration and operational modes.system
Can view system-level configuration information and configure it (at the [editsystem] hierarchy level).
system-control
Can view trace file settings in configuration and operational modes.trace
Can view trace file settings and configure trace file properties.trace-control
Can use various commands to display current system-wide, routing table, andprotocol-specific values and statistics.
view
40
-
Denying or Allowing Individual Commands
By default, all top-level CLI commands have associated access privilege levels. Users can execute onlythose commands and view only those statements for which they have access privileges. For each loginclass, you can explicitly deny or allow the use of operational and configuration mode commands that areotherwise permitted or not allowed by a permission bit.
Defining Junos OS Login Classes
Login classes allow you to define the following:
• Access privileges that users have when they are logged in to the router or switch
• Commands and statements that users can and cannot specify
• How long a login session can be idle before it times out and the user is logged out
All users who can log in to the router or switch must be in a login class. Therefore, you must define a JunosOS login class for each user or class of users. You can define any number of login classes depending onthe types of permissions the users need.
To define a login class and its access privileges, include the class statement at the [edit system login]hierarchy level:
[edit system login]class class-name {access-end hh:mm;access-start hh:mm;( allow-commands | allow-commands-regexps ) “regular expression 1” “regular expression 2”;( allow-configuration | allow-configuration-regexps ) “regular expression 1” “regular expression 2”;allow-sources [ allow-sources ... ];allow-times [ allow-times ... ];allowed-days [ days of the week ];cli {prompt prompt;
}configuration-breadcrumbs;confirm-commands [“regular expression or command 1” “regular expression or command 2” ...] {confirmation-message;
}( deny-commands | deny-commands-regexps ) [ “regular expression 1” “regular expression 2 ” ... ];( deny-configuration | deny-configuration-regexps ) “regular expression 1” “regular expression 2 ”;deny-sources [ deny-sources ... ];deny-times [ deny-times ... ];
41
-
idle-timeout minutes;logical-system logical-system-name;login-alarms;login-script filename;login-tip;no-scp-server;no-sftp-server;permissions [ permissions ];satellite all;security-role (audit-administrator | crypto-administrator | ids-administrator | security-administrator);tenant tenant;
}
Example: Creating Login Classes with Specific Privileges
Login classes are used to assign certain permissions or restrictions to groups of users, ensuring that sensitivecommands are only accessible to the appropriate users. By default, Juniper Networks devices have fourtypes of login classes with preset permissions: operator, read-only, superuser or super-user, andunauthorized.
You can create new custom login classes tomake different combinations of permissions that are not foundin the default login classes. The following example shows how to create three custom login classes, eachwith specific privileges and timers to disconnect the class members after a period of inactivity. Inactivitytimers help protect network security by disconnecting a user from the network if the user is away fromhis computer for too long, preventing potential security risks created by leaving an unattended accountlogged in to a switch or router. The permissions and inactivity timers shown here are only examples andshould be customized to your organization.
The first class of users is called observation and they can only view statistics and configuration. They arenot allowed to modify any configuration. The second class of users is called operation and they can viewand modify the configuration. The third class of users is called engineering and they have unlimited accessand control. All three login classes use the same inactivity timer of 5 minutes.
[edit]system {login {class observation {idle-timeout 5;permissions [ view ];
}class operation {
42
-
idle-timeout 5;permissions [ admin clear configure interface interface-control networkreset routing routing-control snmp snmp-control trace-controlfirewall-control rollback ];
}class engineering {idle-timeout 5;permissions all;
}}
}
RELATED DOCUMENTATION
Junos OS User Accounts | 57
Junos OS Administrative Roles | 71
Junos OS User Access Privileges | 83
Junos OS Login Settings
IN THIS SECTION
Configuring Junos OS to Display a System Login Announcement | 44
Configuring System Alarms to Appear Automatically Upon Login | 46
Configuring Login Tips | 46
Examples: Configuring Time-Based User Access | 47
Configuring the Timeout Value for Idle Login Sessions | 48
Login Retry Options | 49
Limiting the Number of User Login Attempts for SSH and Telnet Sessions | 50
Example: Configuring Login Retry Options | 52
43
-
Junos OS allows you to specify various settings for the users after they have logged in. You can definewhat to notify for the users after they have logged in, display system alarms, provide login tips, or specifytime-based user access, and limit the number of login attempts. Read this topic for more information.
Configuring Junos OS to Display a System Login Announcement
Sometimes you want to make announcements only to authorized users after they have logged in. Forexample, you might want to announce an upcoming maintenance event.
You can format the announcement using the following special characters:
• \n—New line
• \t—Horizontal tab
• \'—Single quotation mark
• \"—Double quotation mark
• \\—Backslash
If the message text contains any spaces, enclose it in quotation marks.
By default, no login announcement is displayed.
To configure an announcement that can be seen only by authorized users:
1. Include the announcement statement in the [edit system login] configuration.
[edit system login]user@host# set announcement text
For example:
system {login {announcement "\tJuly 27th 1:00 AM to 8:00\n\nPlanned Network Maintenance\n\nAFFECTEDLOCATIONS: Sunnyvale\n\nPLANNEDACTIVITY: Upgrade all 6200 switch firmware to the EnterpriseTAC recommended firmware version\n\nPURPOSE: This activity will help to minimize the impact ofunplanned power outages as well as address known issues within our currently installed firmwareversion(s)\n\nWHAT TO EXPECT: During the maintenance window for your site, the office networkwill not be available.\n\n";
message "\n\n\n\tTP0 - M7i - iX Router Lab\n\n\tUNAUTHORIZED USE OF THIS ROUTER\n\tISSTRICTLYPROHIBITED!\n\n\tPlease contact \'astatti@juniper.net\' to gain\n\taccess to this equipmentif you need authorization.\n\n\n"
44
-
}}
2. Commit the configuration.
[edit system login]user@host# commit
3. Connect to the device in a new session to verify the presence of the new banner.
The preceding login message configuration example produces a login message similar to the following:
server% telnet hostTrying 203.0.113.0
Connected to host.example.net
Escape character is ’^]’.
TP0 - M7i - iX Router Lab
UNAUTHORIZED USE OF THIS ROUTER
IS STRICTLY PROHIBITED!
Please contact 'astatti@juniper.net' to gain
access to this equipment if you need authorization
login: user
Password:
July 27th 1:00 AM to 8:00
Planned Network Maintenance
AFFECTED LOCATIONS: Sunnyvale
PLANNED ACTIVITY: Upgrade all 6200 switch firmware to the Enterprise TAC
recommended firmware version
PURPOSE: This activity will help to minimize the impact of unplanned power
45
-
outages as well as address known issues within our currently installed firmware
version(s)
WHAT TO EXPECT: During the maintenance window for your site, the office network
will not be available.
If the announcement text contains any spaces, enclose the text in quotation marks.
A system login announcement appears after the user logs in. A system login message appears before theuser logs in.
TIP: You can use the same special characters described to format your system loginannouncement.
Configuring System Alarms to Appear Automatically Upon Login
You can configure Juniper Networks routers and switches to run the show system alarms commandwhenever a user with the login class admin logs in to the router or switch. To do so, include the login-alarmsstatement at the [edit system login class admin] hierarchy level.
[edit system login class admin]login-alarms;
For more information on the show system alarms command, see the CLI Explorer.
SEE ALSO
show system alarms
Configuring Login Tips
The Junos OS CLI provides the option of configuring login tips for the user. By default, the tip commandis not enabled when a user logs in.
46
https://www.juniper.net/documentation/content-applications/cli-explorer/junos/
-
• To enable tips, include the login-tip statement at the [edit system login class class-name] hierarchy level:
[edit system login class class-name]login-tip;
Adding this statement enables the tip command for the class specified, provided the user logs in using theCLI.
Examples: Configuring Time-Based User Access
The following example shows how to configure user access for the operator-round-the-clock-access loginclass from Monday through Friday without any restriction on access time or duration of login:
[edit system]login {class operator-round-the-clock-access {allowed-days [ monday tuesday wednesday thursday friday ];
}
The following example shows how to configure user access for the operator-day-shift login class onMonday, Wednesday, and Friday from 8:30 AM to 4:30 PM:
[edit system]login {class operator-day-shift {allowed-days [ monday wednesday friday ];access-start 0830;access-end 1630;
}}
Alternatively, you can also specify the login start time and end time for the operator-day-shift login classto be from 8:30 AM to 4:30 PM in the following format:
[edit system]login {class operator-day-shift {allowed-days [ monday wednesday friday ];access-start 08:30am;access-end 04:30pm;
47
-
}}
The following example shows how to configure user access for the operator-day-shift-all-days-of-the-weeklogin class to be on all days of the week from 8:30 AM to 4:30 PM:
[edit system]login {class operator-day-shift-all-days-of-the-week {access-start 0830;access-end 1630;
}}
SEE ALSO
Configuring Time-Based User Access
Configuring the Timeout Value for Idle Login Sessions
An idle login session is one in which the CLI operational mode prompt is displayed but there is no inputfrom the keyboard. By default, a login session remains established until a user logs out of the router orswitch, even if that session is idle. To close idle sessions automatically, you must configure a time limit foreach login class. If a session established by a user in that class remains idle for the configured time limit,the session automatically closes. Idle-timeout can only be configured for user defined classes. Configurationwon't work for the system predefined classes: operator, read-only, super-user. These classes’ values andpermissions are not editable.
To define the timeout value for idle login sessions, include the idle-timeout statement at the [edit systemlogin class class-name] hierarchy level:
[edit system login class class-name]idle-timeout minutes;
Specify the number of minutes that a session can be idle before it is automatically closed.
If you have configured a timeout value, the CLI displays messages similar to the following when timing outan idle user. It starts displaying these messages 5 minutes before timing out the user.
48
-
user@host# Session will be closed in 5 minutes if there is no activity.Warning: session will be closed in 1 minute if there is no activityWarning: session will be closed in 10 seconds if there is no activityIdle timeout exceeded: closing session
If you configure a timeout value, the session closes after the specified time has elapsed, unless the useris running telnet or monitoring interfaces using the monitor interface or monitor traffic command.
Login Retry Options
The security administrator can configure the number of times a user can try to log in to the device withinvalid login credentials. The device can be locked after the specified number of unsuccessful authenticationattempts. This helps to protect the device frommalicious users attempting to access the system by guessingan account’s password. The security administrator can unlock the user account or define a time period forthe user account to remain locked.
The system lockout-period defines the amount of time the device can be locked for a user account aftera specified number of unsuccessful login attempts.
The security administrator can configure a period of time after which an inactive session will be lockedand require re-authentication to be unlocked. This helps to protect the device from being idle for a longperiod before the session times out.
The system idle-timeout defines length of time the CLI operational mode prompt remains active beforethe session times out.
The security administrator can configure a banner with an advisory notice to be displayed before theidentification and authentication screen.
The system message defines the system login message. This message appears before a user logs in.
The number of reattempts the device allows is defined by the tries-before-disconnect option. The deviceallows 3 unsuccessful attempts by default or as configured by the administrator. The device prevents thelocked users to perform activities that require authentication, until a security administratormanually clearsthe lock or the defined time period for the device to remain locked has elapsed. However, the existinglocks are ignored when the user attempts to log in from the local console.
49
-
NOTE: To clear the console during an administrator-initiated logout, the administrator must configure the setsystem login message “message string” such that, the message-string contains newline (\n) characters and alogin banner message at the end of the \n characters.
To ensure that configuration information is cleared completely, the administrator can enter 50 or more \ncharacters in the message-string of the command set system login message “message string”.
For example, set system login message"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nWelcome to Junos!!!"
Limiting the Number of User Login Attempts for SSH and Telnet Sessions
You can limit the number of times a user can attempt to enter a password while logging in through SSHor Telnet. The connection is terminated if a user fails to log in after the number of attempts specified. Youcan also specify a delay, in seconds, before a user can try to enter a password after a failed attempt. Inaddition, you can specify the threshold for the number of failed attempts before the user experiences adelay in being able to enter a password again.
To specify the number of times a user can attempt to enter a password while logging in, include theretry-options statement at the [edit system login] hierarchy level:
[edit system login]retry-options {tries-before-disconnect number;backoff-threshold number;backoff-factor seconds;maximum-time secondsminimum-time seconds;
}
You can configure the following options:
• tries-before-disconnect—Number of times a user can attempt to enter a password when logging in. Theconnection closes if a user fails to log in after the number specified. The range is from 1 through 10, andthe default is 10.
• backoff-threshold—Threshold for the number of failed login attempts before the user experiences adelay in being able to enter a password again. Use the backoff-factor option to specify the length of thedelay in seconds. The range is from 1 through 3, and the default is 2.
50
-
• backoff-factor—Length of time, in seconds, before a user can attempt to log in after a failed attempt.The delay increases by the value specified for each subsequent attempt after the threshold. The rangeis from 5 through 10, and the default is 5 seconds.
• maximum-time seconds—Maximum length of time, in seconds, that the connection remains open for theuser to enter a username and password to log in. If the user remains idle and does not enter a usernameand password within the configured maximum-time, the connection is closed. The range is from 20through 300 seconds, and the default is 120 seconds.
• minimum-time—Minimum length of time, in seconds, that a connection remains open while a user isattempting to enter a correct password. The range is from 20 through 60, and the default is 40.
The following example shows how to limit the user to four attempts when the user enters a passwordwhile logging in through SSH or Telnet:
Limiting the number of SSH and Telnet login attempts per user is one of the most effective methods ofstopping brute force attacks from compromising your network security. Brute force attackers execute alarge number of login attempts in a short period of time to illegitimately gain access to a private network.By configuring the retry-options command, you can create an increasing delay after each failed loginattempt, eventually disconnecting any user who passes your set threshold of login attempts.
Set the backoff-threshold to 2, the back-off-factor to 5 seconds, and the minimum-time to 40 seconds.The user experiences a delay of 5 seconds after the second attempt to enter a correct password fails. Aftereach subsequent failed attempt, the delay increases by 5 seconds. After the fourth and final failed attemptto enter a correct password, the user experiences an additional 10-second delay, and the connection closesafter a total of 40 seconds.
The additional variables maximum-time and lockout-period are not set in this example.
[edit]system {login {retry-options {backoff-threshold 2;backoff-factor 5;minimum-time 40;tries-before-disconnect 4;
}password {}
}}
51
-
NOTE: This sample only shows the portion of the [edit system login] hierarchy level beingmodified.
Example: Configuring Login Retry Options
IN THIS SECTION
Requirements | 52
Overview | 52
Configuration | 54
Verification | 55
This example shows how to configure system retry options to protect the device from malicious users.
Requirements
Before you begin, you should understand “Login Retry Options” on page 49.
No special configuration beyond device initialization is required before configuring this feature.
Overview
Malicious users sometimes try to log in to a secure device by guessing an authorized user account’spassword. Locking out a user account after a number of failed authentication attempts helps protect thedevice from malicious users.
Device lockout allows you to configure the number of failed attempts before the user account is lockedout of the device and configure the amount of time before the user can attempt to log in to the deviceagain. You can configure the amount of time in-between failed login attempts of a user account and canmanually lock and unlock user accounts.
52
-
NOTE:This example includes the following settings:
• backoff-factor — Sets the length of delay in seconds after each failed login attempt. When auser incorrectly logs in to the device, the user must wait the configured amount of time beforeattempting to log in to the device again. The length of delay increases by this value for eachsubsequent login attempt after the value specified in the backoff-threshold statement. Thedefault value for this statement is five seconds, with a range of five to ten seconds.
• backoff-threshold— Sets the threshold for the number of failed login attempts on the devicebefore the user experiences a delay when attempting to reenter a password. When a userincorrectly logs in to the device and hits the threshold of failed login attempts, the userexperiences a delay that is set in the backoff-factor statement before attempting to log in tothe device again. The default value for this statement is two, with a range of one through three.
• lockout-period— Sets the amount of time in minutes before the user can attempt to log in tothe device after being locked out due to the number of failed login attempts specified in thetries-before-disconnect statement. When a user fails to correctly login after the number ofallowed attempts specified by the tries-before-disconnect statement, the user must wait theconfigured amount of minutes before attempting to log in to the device again. Thelockout-period must be greater than zero. The range at which you can configure thelockout-period is one through 43,200 minutes.
• tries-before-disconnect — Sets the maximum number of times the user is allowed to enter apassword to attempt to log in to the device through SSH or Telnet. When the user reachesthe maximum number of failed login attempts, the user is locked out of the device. The usermustwait the configured amount ofminutes in the lockout-period statement before attemptingto log back in to the device. The tries-before-disconnect statement must be set when thelockout-period statement is set; otherwise, the lockout-period statement is meaningless. Thedefault number of attempts is ten, with a range of one through ten attempts.
Once a user is locked out of the device, if you are the security administrator, you can manuallyremove the user from this state using the clear system login lockout command. Youcan also use the show system login lockout command to view which users are currently lockedout, when the lockout period began for each user, and when the lockout period ends for eachuser.
If the security administrator is locked out of the device, he can log in to the device from theconsole port, which ignores any user locks. This provides a way for the administrator to removethe user lock on their own user account.
In this example the user waits for the backoff-threshold multiplied by the backoff-factor interval, inseconds, to get the login prompt. In this example, the user must wait 5 seconds after the first failed loginattempt and 10 seconds after the second failed login attempt to get the login prompt. The user gets
53
-
disconnected after 15 seconds after the third failed attempt because the tries-before-disconnect optionis configured as 3.
The user cannot attempt anther login until 120minutes has elapsed, unless a security administratormanuallyclears the lock sooner.
Configuration
CLI Quick ConfigurationTo quickly configure this example, copy the following commands, paste them into a text file, remove anyline breaks, change any details necessary to match your network configuration, copy and paste thecommands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
set system login retry-options backoff-factor 5set system login retry-options backoff-threshold 1set system login retry-options lockout-period 120set system login retry-options tries-before-disconnect 3
Step-by-Step ProcedureTo configure system retry-options:
1. Configure the backoff factor.
[edit ]user@host# set system login retry-options backoff-factor 5
2. Configure the backoff threshold.
[edit]user@host# set system login retry-options backoff-threshold 1
3. Configure the amount of time the device gets locked after failed attempts.
[edit]user@host# set system login retry-options lockout-period 5
4. Configure the number of unsuccessful attempts during which, the device can remain unlocked.
[edit]user@host# set system login retry-options tries-before-disconnect 3
54
-
ResultsFrom configuration mode, confirm your configuration by entering the show system login retry-optionscommand. If the output does not display the intended configuration, repeat the configuration instructionsin this example to correct it.
[edit]user@host# show system login retry-optionsbackoff-factor 5;backoff-threshold 1;lockout-period 5;tries-before-disconnect 3;
Confirm that the configuration is working properly.
If you are done configuring the device, enter commit from configuration mode.
Verification
Displaying the Locked User Logins
PurposeVerify that the login lockout configuration is enabled.
ActionAttempt three unsuccessful logins for a particular username. The device will be locked for that username;then log in to the device with a different username. From operational mode, enter the show system loginlockout command.
MeaningWhen you perform three unsuccessful login attempts with a particular username, the device is locked forthat user for five minutes, as configured in the example. You can verify that the device is locked for thatuser by logging in to the device with a different username and entering the show system login lockoutcommand.
RELATED DOCUMENTATION
Junos OS Login Classes Overview | 37
Junos OS User Accounts | 57
55
-
2CHAPTER
User Accounts
Junos OS User Accounts | 57
Junos OS Administrative Roles | 71
Junos OS User Access Privileges | 83
-
Junos OS User Accounts
IN THIS SECTION
Junos OS User Accounts Overview | 57
Junos-FIPS Crypto Officer and User Accounts Overview | 59
Example: Configuring User Accounts | 60
Example: Configuring New Users | 61
Configuring Junos OS User Accounts by Using a Configuration Group | 68
Junos OS allows you to create accounts for router, switch, and security users. All users also belong to oneof the system login classes.
Junos OS requires that all users have a predefined user account before they can log in to the device. Foreach user account, you define the login name for the user and, optionally, information that identifies theuser. User accounts provide a way for users to access a router or switch or security device. Read this topicfor more information.
Junos OS User Accounts Overview
User accounts provide one way for users to access the device. (Users can access the device withoutaccounts if you configured RADIUS or TACACS+ servers, as described in “Junos OS User AuthenticationMethods” on page 172.) For each account, you define the login name and password for the user and,optionally, additional parameters and metadata for the user. After you have created an account, thesoftware creates a home directory for the user.
An account for the user root is always present in the configuration. You configure the password for rootusing the root-authentication statement, as described in “Configuring the Root Password” on page 142.
It is a common practice to use remote authentication servers to centrally store information about users.Even so, it is also a good practice to configure at least one non-root user directly on each device, in caseaccess to the remote authentication server is disrupted. This one non-root user commonly has a genericname, such as admin.
For each user account, you can define the following:
57
-
• Username: Name that identifies the user. It must be unique within the device. Do not include spaces,colons, or commas in the username. The username can be up to 64 characters long.
• User’s full name: (Optional) If the full name contains spaces, enclose it in quotationmarks. Do not includecolons or commas.
• User identifier (UID): (Optional) Numeric identifier that is associatedwith the user account name. Typicallythere is no need to set the UID because the software automatically assigns it when you commit theconfiguration. However, if you manually configure the UID, it must be in the range from 100 through64,000 and must be unique within the device.
You must ensure that the UID is unique. However, it is possible to assign the same UID to differentusers. If you do this, the CLI displays a warning when you commit the configuration and then assignsthe duplicate UID.
• User’s access privilege: (Required) One of the login classes you defined in the class statement at the[edit system login] hierarchy level, or one of the default classes listed in “JunosOSUser Access Privileges”on page 83.
• Authentication method or methods and passwords that the user can use to access the device—You canuse SSH or a Message Digest 5 (MD5) password, or you can enter a plain-text password that the JunosOS encrypts using MD5-style encryption before entering it in the password database. For each method,you can specify the user’s password. If you configure the plain-text-password option, you are promptedto enter and confirm the password:
[edit system login user username]user@host# set authentication plain-text-passwordNew password: type password hereRetype new password: retype password here
The default requirements for plain-text passwords are:
• The password must be between 6 and 128 characters long.
• You can include most character classes in a password (uppercase letters, lowercase letters, numbers,punctuation marks, and other special characters). Control characters are not recommended.
• Valid passwords must contain at least one change of case or character class.
Junos-FIPS and Common Criteria have special password requirements. FIPS and Common Criteriapasswords must be between 10 and 20 characters in length. Passwords must use at least three of thefive defined character sets (uppercase letters, lowercase letters, digits, punctuation marks, and otherspecial characters). If Junos-FIPS is installed on the device, you cannot configure passwords unless theymeet this standard.
For SSH authentication, you can copy the contents of an SSH key file into the configuration or directlyconfigure SSH key information. Use the load-key-file URL filename command to load an SSH key file thatwas previously generated, e.g. by using ssh-keygen. The URL filename is the path to the file’s location and
58
-
name. This command loads RSA (SSH version 1 and SSH version 2) and DSA (SSH version 2) public keys.The contents of the SSH key file are copied into the configuration immediately after you enter theload-key-file statement. Optionally, you can use the ssh-dsa public key and the ssh-rsapublic key statements to directly configure SSH keys.
The following TLS version and cipher suite combinations will fail when you use the specified type of hostkey.
With RSA host keys:
• TLS_1.0@DHE-RSA-AES128-SHA
• TLS_1.0@DHE-RSA-AES256-SHA
With DSA host keys:
• TLS 1.0 (default ciphers)
• TLS 1.1 (default ciphers)
• TLS_1.0@DHE-DSS-AES128-SHA
• TLS_1.0@DHE-DSS-AES256-SHA
For each user account and for root logins, you can configure more than one public RSA or DSA key foruser authentication. When a user logs in using a user account or as root, the configured public keys arereferenced to determine whether the private key matches any of them.
To view the SSH keys entries, use the configuration mode show command. For example:
[edit system login user boojum]user@host# set authentication load-key-file my-host:.ssh/id_dsa.pub.file.19692 | 0 KB | 0.3 kB/s | ETA: 00:00:00 | 100%[edit system]user@host# showroot-authentication {ssh-rsa "$ABC123"; # SECRET-DATA
}
Junos-FIPS Crypto Officer and User Accounts Overview
Junos-FIPS defines a restricted set of user roles. Unlike the Junos OS, which enables a wide range ofcapabilities to users, FIPS 140-2 defines specific types of users (Crypto Officer, User, and Maintenance).Crypto Officers and FIPS Users perform all FIPS-related configuration tasks and issue all FIPS-relatedcommands. Crypto Officer and FIPS User configurations must follow FIPS 140-2 guidelines. Typically, nouser besides a Crypto Officer can perform FIPS-related tasks.
59
-
Crypto Officer User Configuration
Junos-FIPS offers finer control of user permissions than those mandated by FIPS 140-2. For FIPS 140-2conformance, any Junos-FIPS user with the secret, security, and maintenance permission bits set is aCrypto Officer. In most cases, the super-user class should be reserved for a Crypto Officer. A FIPS Usercan be defined as any Junos-FIPS user that does not have the secret, security, and maintenance bits set.
FIPS User Configuration
ACryptoOfficer sets up FIPSUsers. FIPS Users can be granted permissions normally reserved for a CryptoOfficer; for example, permission to zeroize the system and individual AS-II FIPS PICs.
Example: Configuring User Accounts
The following example shows how to create accounts for four router or switch users, and create an accountfor the template user remote. All users use one of the default system login classes. User alexander alsohas two digital signal algorithm (DSA) public keys configured for SSH authentication.
[edit]system {login {user philip {full-name “Philip of Macedonia”;uid 1001;class super-user;authentication {encrypted-password “$ABC123”;
}}user alexander {full-name “Alexander the Great”;uid 1002;class view;authentication {encrypted-password “$ABC123”;ssh-dsa “8924 37 5678 5678@gaugamela.per”;ssh-dsa “6273 94 9283@boojum.per”;
}}user darius {full-name “Darius King of Persia”;
60
-
uid 1003;class operator;authentication {ssh-rsa “1024 37 12341234@ecbatana.per”;
}}user anonymous {class unauthorized;
}user remote {full-name “All remote users”;uid 9999;class read-only;
}}
}
Example: Configuring New Users
IN THIS SECTION
Requirements | 61
Overview | 62
Configuration | 62
Verification | 67
This example shows how to configure new users.
Requirements
No special configuration beyond device initialization is required before configuring this feature.
61
-
Overview
You can add new users to the dev
top related